0

I have setup a security context meant for REST. The configuration is as

<!-- authentication manager and password hashing -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="daoAuthenticationProvider" />
    </authentication-manager>

    <beans:bean id="daoAuthenticationProvider"
        class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="userDetailsService" />
        <beans:property name="passwordEncoder" ref="passwordEncoder" />
    </beans:bean>

    <beans:bean id="userDetailsService" name="userAuthenticationProvider"
        class="com.myapp.auth.AuthenticationUserDetailsGetter" />

    <beans:bean id="passwordEncoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    </beans:bean>

    <global-method-security pre-post-annotations="enabled" />

    <!-- web services -->
    <http use-expressions="true" pattern="/rest/**"
        disable-url-rewriting="true" entry-point-ref="restAuthenticationEntryPoint">
        <custom-filter ref="restProcessingFilter" position="FORM_LOGIN_FILTER" />
        <intercept-url pattern="/rest/login" access="permitAll"/>
        <intercept-url pattern="/rest/**" access="isAuthenticated()" />
        <logout delete-cookies="JSESSIONID" />
    </http>

    <beans:bean id="restProcessingFilter" class="com.myapp.auth.RestUsernamePasswordAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="filterProcessesUrl" value="/rest/login" />
    </beans:bean>

And I overrided the UsernamePasswordAuthenticationFilter as 

@Override
    public Authentication attemptAuthentication(HttpServletRequest request,
            HttpServletResponse response) {
        Authentication authentication = null;
        String username = request.getParameter("j_username");
        String password = request.getParameter("j_password");
        boolean valid = authService.authenticate(username, password);
        if (valid) {
            User user = updateLocalUserInfo(username);
            authentication = new UsernamePasswordAuthenticationToken(user,
                    null, AuthorityUtils.createAuthorityList("USER"));
            SecurityContextHolder.getContext().setAuthentication(authentication);
        }
        return authentication;
    }

The above authentication is working fine when I tried it with

RestClient restClient = new RestClient();
String result = restClient.login("hq", "a1234567"); // RestTemplate.postForObject

The only thing left is the result from the authentication post (atm, result is null). How can I configure my security configuration in order to retrieve some result ? A flag or session ID will suffice.

abiieez
  • 3,139
  • 14
  • 57
  • 110

1 Answers1

0

I think best bet here would be AuthenticationSuccessHandler.

As this will only kick in if the authentication was successful. You can generate some sort of UUID and set that in your response directly. I have used very similar approach for ReST Auth and have not hit any problems yet.

For detailed implementation guide please refer : https://stackoverflow.com/a/23930186/876142

Update for comment #1 :

You can get response just like any normal ReST request.

This is how I am sending back my Token as JSON

String tokenJsonResponse = new ObjectMapper().writeValueAsString(authResponse);
httpResponse.addHeader("Content-Type", "application/json");
httpResponse.getWriter().print(tokenJsonResponse);

Assuming you know how to use RestTemplate, rest is trivial.

Community
  • 1
  • 1
Anuj Patel
  • 17,261
  • 3
  • 30
  • 57